fatalrat | a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f

General

Target

a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe
Size

381KB
MD5

7184e797d51213a2fffdf444a6414c62
SHA1

852820704d15282094c7eba2eca06b08f3c79f00
SHA256

a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f
SHA512

34707979c87afd8269eab68c602cde0894eb22502bfcca869f4a27647af5c9f9afcf98b5cfc679e3a278cbb52b8eb88c78a09526d68204dd6517fbe1cb4c0004
SSDEEP

6144:dfHfaTjCTyXGouH3OYBUniLDGpcRbqipUdaXrMjOBvB37WNkGkYpFP41Ftcg74LE:ktan2wDGpcRbOda7MjW53CNTdpa1zUlv

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/4972-90-0x0000000002E50000-0x0000000002E7A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

M5M5P5f.exe

pid	Process
4972	M5M5P5f.exe

Loads dropped DLL 2 IoCs

Processes:

M5M5P5f.exe

pid	Process
4972	M5M5P5f.exe
4972	M5M5P5f.exe

Drops file in System32 directory 1 IoCs

Processes:

M5M5P5f.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\M5M5P5f.exe	M5M5P5f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

M5M5P5f.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M5M5P5f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe

pid	Process
2716	a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe
2716	a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe
2716	a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe
2716	a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

M5M5P5f.exe

description	pid	Process
Token: SeDebugPrivilege	4972	M5M5P5f.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe
"C:\Users\Admin\AppData\Local\Temp\a06ddac0b0d77df2030845fb76ee2929c37635ed9b5391bb68bf2d81a2b7875f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\ProgramData\M3M6M5\M5M5P5f.exe
C:\ProgramData\M3M6M5\M5M5P5f.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\M3M6M5\M5M5P5f.exe

Filesize
89KB

MD5
88848fa9ee78e13e547610b473f0c5b2

SHA1
6d7fc0447841698906f140463bad2ff3c68eab67

SHA256
9217361e34f164a810a105cdef2b38a27ddf1a0f722eca37cb28a0255df16915

SHA512
0ceaf6dc466ea6c83670ab64c2090f0a97477e3ae0670173e60bc8b87a0ad86e7fc7322c5581af7aa57547d4c6ce8e4614784a0e164ad047c998b395ee626255

Download Submit
C:\ProgramData\M3M6M5\longlq.cl

Filesize
1.2MB

MD5
1eaf8e0901eb3c862a865def25820db7

SHA1
98eb757704afc7be53d5dd9da9c802fc30650d54

SHA256
2f7b69ed3ae26ba8afb5d33f67a409232ce8d05c789e862dbbdd047e90b805ef

SHA512
e6eee6009ed1d3a92fa08fe1b791b499eeab2b36228d8f56174edaaf1c53596fc5644210dfc8aeac68333ed6db1d9792e410b2faad12d6958765bcf2ab740bf3

Download Submit
C:\ProgramData\M3M6M5\mfc100.dll

Filesize
1.2MB

MD5
1a283e4e67b0e6fa3c5b64b7a80aa187

SHA1
f990b4a83f187f6caaeaa1748506e19c9ff06242

SHA256
db8c3b2621d1048d93b609c0310f43d26d537124d4b6fe4f8843339b05430322

SHA512
f0254eafaedda66cf17be66433bd86bba6d4e8cff784bda439dd086d11f3f4de4cd6ac2436523020b027021c1ff67276c5d3db5bda6899715cb087cdb83891df

Download Submit
C:\ProgramData\M3M6M5\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\J3J2J\3J3M.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\J3J2J\website_secure_lnk.lnk

Filesize
797B

MD5
1ab4b3c636eac7da97ef2845198a8f5b

SHA1
bea0d2cc95a82328983fbf5a3f02576c35ab2fda

SHA256
5fefc0dd6c9d96de8ee238a741a333a29e6e9f09bff61545dc1ed0407910da18

SHA512
53d48e7dd95693978c7b412fa209d013a4512d69445322483e5e3ad89712719fac7259c7822addc799ba174a01ad5aa4988183e3dc250767e07d91ea7bbe5478

Download Submit
C:\Users\Public\2M5L5O

Filesize
1.1MB

MD5
4b48402ea22fbfe680447fdd71569268

SHA1
99b81431ebde6f1a83e9db77dd1b8b434f08a105

SHA256
36465168be445231526aeb8c8e7c1e1569d482f27f8c6e0c995e2ba827947989

SHA512
e932f002020156591f395c97501f1e577ae7fd2c79dd449d2866580cf7d6282289579b27b0e5bf9e29a00a8ae5cecad44f78e5d44aefbb2ec46dcc9c38402365

Download Submit
memory/2716-70-0x0000000002010000-0x0000000002060000-memory.dmp

Filesize
320KB

Download
memory/2716-0-0x0000000002010000-0x0000000002060000-memory.dmp

Filesize
320KB

Download
memory/2716-40-0x0000000002010000-0x0000000002060000-memory.dmp

Filesize
320KB

Download
memory/2716-8-0x0000000002EB0000-0x0000000003171000-memory.dmp

Filesize
2.8MB

Download
memory/2716-1-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/4972-80-0x0000000002DA0000-0x0000000002DD1000-memory.dmp

Filesize
196KB

Download
memory/4972-90-0x0000000002E50000-0x0000000002E7A000-memory.dmp

Filesize
168KB

Download
memory/4972-85-0x0000000003520000-0x000000000354D000-memory.dmp

Filesize
180KB

Download
memory/4972-84-0x0000000002E20000-0x0000000002E47000-memory.dmp

Filesize
156KB

Download
memory/4972-79-0x0000000002D60000-0x0000000002D92000-memory.dmp

Filesize
200KB

Download
memory/4972-96-0x0000000003520000-0x000000000354D000-memory.dmp

Filesize
180KB

Download
memory/4972-95-0x0000000003520000-0x000000000354D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads